Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I’m struggling to come up with an iptables rule(s) to allow DNS traffic below from a client machine to my private DNS server on the same network. Any help is very much appreciated.
DNS server IP address: a.b.c.100
Client IP address: a.b.c.200
The message captured in client’s /var/log/messages after all the rules were processed :
Since the default for OUTPUT chain is ‘accept’, I can’t wrap my head around what’s missing.
DNS server is not an issue, it works well with all other clients.
firewalld is disabled. I’m running iptables instead.
iptables -S output (after masking, and stripping down unrelated lines):
Code:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -d 224.0.0.0/4 -p igmp -j DROP
-A INPUT -p tcp -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -i enp1s0 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s a.b.c.200/32 -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
-A INPUT -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j DROP
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -p udp -m udp --sport 5353 -j ACCEPT
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d a.b.c.200/32 -i enp1s0 -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -d a.b.c.200/32 -i enp1s0 -p udp -m udp --sport 123 -m comment --comment ntp -j ACCEPT
-A INPUT -j LOG --log-prefix "** iptables-INP ** "
-A FORWARD -p tcp -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j LOG --log-prefix "** iptables-FWD ** "
-A OUTPUT -d 224.0.0.0/4 -p igmp -j DROP
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d a.b.c.100/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d a.b.c.100/32 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -p udp -m udp --dport 123 -m conntrack --ctstate NEW -m comment --comment ntp -j ACCEPT
-A OUTPUT -j LOG --log-prefix "** iptables-OUT ** "
If this is homework, it's not going to pass. In case you did write those rules on your own, OP:
I'd make a rule on client to accept input from server:53, and accept output to server:53 (if the server responds on port 53).
Can't reliably filter by client sport in output or client dport in input since those might be random ports.
Note that I post only to answer the title. Those rules are not something I'd try and fix, it'd be faster to rewrite if you want my honest opinion.
And another couple of things, if you search "-o" you'll see output interface is unspecified.
When/if interface name changes, any rule with enp1s0 becomes useless, so you must then manually replace all instances of enp1s0,
Might be faster for you to write something like this so you only replace one line when/if interface or ip address changes:
Everyone's got different style I guess, but it'll be more readable that way.
Also, it'd be much easier to work through using the current tool, nftables, instead of the deprecated tool, iptables. You can even define variables within nftables.
Also, it'd be much easier to work through using the current tool, nftables, instead of the deprecated tool, iptables. You can even define variables within nftables.
Well, that is something I'll have to do at some point before 2024, among other things.
But I'm just taking care of old computers now, with long term kernels, so iptables was good enough for me.
And there's one more thing I've neglected to mention, because I was in a hurry yesterday.
Planned to make it a multiport match to save 2 lines, but completely forgot about it later and omitted a protocol match as well.
Thanks folks for all the suggestions. I figured the whole issue stems from my vpn configuration. For some reason dns traffic is directed to some odd 127.0.0.53 address, instead of my dns server. So I'll have to look into that first.
Last edited by gotaquestion; 05-05-2021 at 08:02 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
